On 13/12/25, AKASHI Takahiro wrote:
> audit_syscall_exit() saves a result of regs_return_value() in intermediate
> "int" variable and passes it to __audit_syscall_exit(), which expects its
> second argument as a "long" value.
> This will result in truncating the value returned by a system call and
> making a wrong audit record.
> I don't know why gcc compiler doesn't complain about this, but anyway it
> causes a problem at runtime on arm64 (and probably most 64-bit archs).
>
> Signed-off-by: AKASHI Takahiro <[email protected]>
Thanks for catching this, Takakiro.
> ---
> include/linux/audit.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index c49a312..3dcb3f0 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -144,7 +144,7 @@ static inline void audit_syscall_exit(void *pt_regs)
> {
> if (unlikely(current->audit_context)) {
> int success = is_syscall_success(pt_regs);
> - int return_code = regs_return_value(pt_regs);
> + long return_code = regs_return_value(pt_regs);
>
> __audit_syscall_exit(success, return_code);
> }
- RGB
--
Richard Guy Briggs <[email protected]>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red
Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
